Skip to main content
SearchLoginLogin or Signup

Into the Data Transfer Thicket: The Dutch Uber Decision and the Relationship Between GDPR Article 3 and Chapter V

This post argues that despite CJEU rulings, key GDPR data transfer rules for foreign firms remain unclear, and a decisive CJEU ruling is needed to resolve this issue.

Published onOct 22, 2024
Into the Data Transfer Thicket: The Dutch Uber Decision and the Relationship Between GDPR Article 3 and Chapter V

Despite being one of the most talked about areas of the GDPR and the subject of multiple CJEU decisions, key elements of GDPR’s data transfer regime are still open to interpretation. One lingering area of legal ambiguity is under what circumstances transfer safeguards are required by the GDPR if a foreign firm is already subject to the GDPR.  The classic data transfer scenario might involve a foreign company not governed by the GDPR receiving EU personal data transmitted by an EU based partner. In this scenario, the GDPR data transfer safeguards ensure that the GDPR’s high level of protection is not diminished when the data is moved. However, of the GDPR’s extraterritorial effect, firms located abroad that target the EU for business can also be subject to the GDPR. For these foreign companies under the GDPR’s umbrella, applying the GDPR’s data transfer safeguards is not always intuitive.

A recent enforcement action by the Dutch DPA against Uber levied a steep 290 million euro fine for failing to apply GDPR’s Chapter V transfer safeguards for the company’s EU-U.S. data transfers – the largest to date from the Dutch DPA. But Uber in the U.S. was subject to the GDPR and was primarily collecting personal data directly from drivers in the EU. This decision departed from EDPB guidance which would not require the GDPR’s transfer safeguards for foreign firms directly collecting data from EU data subjects. The decision muddies legal requirements for data transfers, and the CJEU’s final word is critical to clarify the relationship between the GDPR’s territorial scope and transfer regime.  

 

I.                             GDPR Legal Obligations: Article 3 and Chapter V

Some background on the GDPR’s territorial scope and transfer safeguards is important to set the stage. Article 3 of the GDPR defines the territorial scope of the GDPR, while Chapter V establishes the safeguards necessary when personal data is transferred from the EU to a third country. A range of transfer mechanisms are available to support transfers from the EU to other countries under Chapter V – the most well-known among them adequacy decisions and standard contractual clauses.  However, the text of the GDPR does little to answer how the territorial scope relates to the transfer mechanisms.

Under Article 3(1), entities processing EU personal data can be subject to the GDPR  if they have an “establishment” in the EU, Regulation (EU) No 2016/679. However, under Article 3(2), entities can also be subject to the GDPR if they do not have an establishment in the EU but are they engaged in:

(a)     the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b)    the monitoring of their behaviour as far as their behaviour takes place within the Union.

 

In practice, this means the scope of the GDPR is extraterritorial, directly applying to companies operating abroad with no EU presence but that target the EU for business. 

Chapter V of the GDPR sets out required safeguards for data transfers from the EU to a third country. Under Article 44, a “transfer” of data can take place to a third country only if the conditions of Chapter V are complied with. According to the CJEU, this requires maintaining an “essentially equivalent” level of protection to that in the GDPR, read in light of the EU Charter of Fundamental Rights, Case C-311/18 (para. 105). Articles 45-47 of the GDPR articulate transfer tools that entities can rely upon for data flows to a third country: 1) an adequacy decision by the European Commission finding that the third country ensures an adequate level of protection, or 2) “appropriate safeguards” put in place between the data exporter and importer, such as standard contractual clauses (SCCs) adopted by the Commission, ad hoc contractual clauses approved by a competent DPA, and binding corporate rules for transfer within a multinational corporation or groups of companies. Importantly, under the recent Schrems II decision, when relying upon “appropriate safeguards” to transfer data, a firm is also required to independently assess whether that tool will ensure essentially equivalent protection or whether supplementary measures like encryption need to be implemented, Case C-311/18 (para. 105). This requires firms to analyze the proportionality of potential third country law enforcement or national security access to the transferred data. Article 49 also includes strictly interpreted derogations from the requirements for a transfer tool, like consent or contractual necessity, designed for limited and irregular transfers.

The text of the Regulation is not explicit about how Article 3 and Chapter V work together: are they applied simultaneously, mutually exclusive, or some combination based on the facts? Chapter V also only requires safeguards in instances of a “transfer”- but transfer is not defined. These ambiguities start to cause issues when data is transferred to a foreign entity to which the GDPR is directly applicable, or where a foreign company governed by the GDPR is directly collecting data from EU individuals. On the one hand, when the GDPR is already applicable to a foreign company, layering Chapter V safeguards on top is duplicative. And, if a motivating concern is the potential for disproportionate government access in the non-EU jurisdiction, many basic GDPR responsibilities already provide some backstop (e.g. requirements for DPIAs or security of processing). As such, the burdens of applying Chapter V might be weighed against relative risk, taking a narrower interpretation of the transfer rules. Others contend that the risk of potential non-EU law enforcement or national security access when data is processed abroad necessitates a broad reading of Chapter V, even if a given company is already governed by the GDPR. Chapter V also provides oversight, enforcement, and redress opportunities for firms located abroad, which can be harder to enforce against.

The newest set of SCCs released by the European Commission stoked this debate. According to the Commission’s FAQ, the current clauses only apply to transfers from entities “subject to the GDPR to transfer personal data to controllers or processors outside the EEA whose activities are not subject to the GDPR.”  They cannot be used to transfer personal data to foreign entities already subject to the GDPR.  The European Commission has stated that it is developing standard contractual clauses for transfers where the importer is subject to the GDPR, but it has yet to issue any additional SCCs.

 Without obvious textual answers about the interplay between the GDPR’s territorial scope and its transfer obligations, the issue calls for for clarification by Europe’s institutions. This need has become more pressing as enforcement around data transfers increases following the Schrems I and Schrems II judgments.

                   

II.                         EDPB Guidelines on the Relationship Between Article 3 and Chapter V

In 2021, the European Data Protection Board (EDPB) released guidance on the relationship between GDPR Article 3 and Chapter V to resolve these lingering ambiguities. While not binding, these highly authoritative guidelines both defined the concept of a “transfer” and concluded that in instances of direct collection of personal data from the EU, a foreign company already subject to the GDPR did not need to put in place Chapter V safeguards.  

The EDPB began by defining “transfer” for the first time. As noted above, Chapter V safeguards are only implicated in instances of a “transfer” to third countries, but the GDPR does not define that term. The EDPB concluded that a transfer occurs when:

1)        A controller or a processor (“exporter”) is subject to the GDPR for the given processing.

2)        The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).

3)        The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation

 

Guidelines 05/2021 (para. 9)

Under this definition, Chapter V is required for transfers from an EU entity (controller or processor) to a foreign entity already subject to the GDPR. The second criterion does require that there be two separate entities transmitting and receiving the data, but this can include joint controllers, Guidelines 05/2021 (para. 20). But, critically, under this definition a transfer does not occur when data is directly disclosed by an individual in the EU to a firm in a third country, Guidelines 05/2021 (para. 18) (“…this second criterion cannot be considered as fulfilled when there is no controller or processor sending or making the data available (i.e. no “exporter”) to another controller or processor, such as when data are disclosed directly by the data subject to the recipient”).

EDPB also took pains to note that even if there is no transfer requiring Chapter V safeguards, companies subject to the GDPR should nonetheless assess possible third country government access in relation to their other GDPR obligations. The EDPB stated that companies processing data outside the EU are responsible for reviewing the risk of disproportionate government access, Guidelines 05/2021 (Example 12). Companies located in the EU that are subject to third country laws on government access, such as an EU subsidiary of a foreign multinational, must also consider this risk. While Chapter V may not apply, multiple other GDPR responsibilities could still be triggered, such as security of processing (Article 32), data breach notification (Article 33), Data Protection Impact Assessments (Article 35), and others, Guidelines 05/2021 (para. 31).

The EDPB guidelines helped to settle the relationship between Article 3 and Chapter V, in particular by making clear that direct collection from the EU was not considered a transfer. The Board also addressed any potential gap from limiting the reach of Chapter V, concluding companies are not simply off the hook from considering the risks of third country government access to data.

 

III.                      Dutch DPA Uber Decision

However, a recent Dutch DPA enforcement action against Uber reopened the debate over the relationship between territorial scope and transfers. In coordination with the CNIL, the Dutch DPA announced in August 2024 that Uber transferred data to the U.S. without Chapter V safeguards, levying a fine of 290 million euro. The fine originated from a complaint to the French CNIL by NGO Ligue Des Droits De L’homme about the transfer of French Uber drivers’ data to the US. The transfer involved Uber B.V. (UBV), the Netherlands outpost of Uber, and Uber Technologies Inc (UTI), the parent company in the US. The Dutch DPA took a more expansive view of Chapter V than the EDPB. The DPA also stopped short of a crisply articulated alternative standard for its view on the relationship between Article 3 and Chapter V.

Uber historically relied upon SCCs when there was no EU-U.S. adequacy decision available, as was the case when the CJEU decision struck down the Privacy Shield in 2020 until the new Data Privacy Framework was adopted in 2023, Case No. [Redacted] (para. 42) [hereinafter Uber Decision]. In August 2021, Uber changed interpretations and decided that SCCs were no longer necessary since Article 3 of the GDPR directly applied to UTI’s processing of personal data in the U.S., Uber Decision (paras. 43-44). Uber then began to rely upon the Data Privacy Framework in November 2023, but it had no data transfer mechanism in place from August 2021until November 2023, Uber Decision (para. 45).

The Dutch DPA concluded Uber transferred drivers’ data to the US in two scenarios.  Scenario one involved personal data of drivers in the EU collected via their Uber app and sent directly to UTI for storage in the U.S., Uber Decision (para. 17). Scenario two involved data relating to drivers’ exercise of rights under the GDPR in which UBV and UTI would collaborate; UBV scoped requests and communicated with data subjects, while UTI processed and made the requested data available to the requestor directly from UTI in the U.S., Uber Decision (para. 18).

Uber lodged several different arguments in its defense: that Chapter V was not applicable because of UTI directly collected data from EU data subjects; that those data flows which did occur could not be considered international data transfers since UBV and UTI were joint data controllers to which the GDPR directly applied; and, finally, that any transfers qualified for Article 49(b-c) derogations on contractual necessity, Uber Decision (paras. 46-56). Uber also leaned on the fact that the Commission had not provided SCCs for scenarios in which the GDPR applied directly, so they had no available SCCs for any transfers from UBV to UTI, Uber Decision (para. 51).

The Dutch DPA did not accept any of these arguments. First, the DPA concluded that transfers between joint data controllers subject to the GDPR and located in different countries are governed by Chapter V, Uber Decision (paras. 97-98). This point is in agreement with the EDPB decision, which acknowledges that data exchanges between joint controllers can still be a transfer, including entities that are a part of the “same corporate group: when they “qualify as separate controllers or processors,” Guidelines 05/2021 (para. 21).

Where the Dutch DPA diverged from the EDPB was in its second conclusion: that both scenario one and scenario two involved a “transfer,” notwithstanding the fact that  scenario one concerned EU Uber drivers’ direct transmission of data to UTI in the US. For this, the AP leaned heavily on the employment relationship with UBV and the lack of control for drivers over the terms of employment and the data collected, Uber Decision (paras. 89, 92-94). The DPA also cited policy interests for reading Chapter V’s application this broadly. A foreign company to which the GDPR applies operates outside of all layers of EU law, the DPA argued, and given the difficulty of enforcement against a foreign entity, even when the GDPR governs a foreign company the level of protection may be diminished when personal data is processed abroad, Uber Decision (paras. 66-68). The Dutch DPA contended Chapter V was designed to counterbalance these risks and should be read broadly to give full protection, Uber Decision (paras. 68-70). As to the EDPB’s view, the DPA stated there was no conflict between its decision and the Guidelines because the EDPB did not consider an example of a data exporter in the contractual employment context, Uber Decision (para. 91).

Finally, the Dutch DPA found that Uber did not have an appropriate transfer instrument in place from August 2021-Novemeber 2023, Uber Decision (para. 110). Even though there were no SCCs available for scenarios in which the data importer is governed by the GDPR, the Dutch DPA said that Uber should not have concluded that SCCs or other transfer instruments were not necessary, Uber Decision (para. 109). Uber also could not rely on Chapter V’s derogations Article 49(b) or (c) on contractual necessity, since the Uber’s transfers were not “incidental,” but ongoing, and were not “necessary,” Uber Decision (paras. 118-26). As a result, Uber violated Article 44.

 

IV.                     Analysis and Next Steps

Uber is appealing the decision. Given the conflicts between the EDPB and the Dutch position, the Dutch courts are likely to ask the CJEU to weigh in on the relationship between Article 3 and Chapter V. Despite the Dutch DPA’s take that the EDPB Guidelines could be reconciled with its view, the EDPB decision was unequivocal that direct collection of EU personal data by a third country provider subject to the GDPR is not a transfer. The Dutch DPA decision to view Uber’s activity as a data transfer even in such cases reaches the opposite result. On this point, clarity from the CJEU is imperative.

The Dutch DPA decision also adds to the confusion by failing to lay out a clear legal standard for when, under its alternative view of Article 3 and Chapter V, a foreign provider subject to the GDPR would need to apply Chapter V safeguards. The Dutch DPA not only considered the employer relationship between UBV and the drivers, but looked to a variety of other contextual factors that bore on asymmetry of the Uber-driver relationship,  the involvement of both entities in determining the terms of that relationship, and the data transfer. If the CJEU determines that some instances of direct collection by third country providers are covered by Chapter V, the CJEU also has an opportunity to establish a concrete standard for when the provisions are triggered.

Until the issue is settled, EU entities subject to the GDPR under Article 3(2) in doubt of their Chapter V obligations would be wise to apply Chapter V transfer safeguards to their activity.


Eleni Kyriakides is an Adjunct Professor at Georgetown Law in Washington, D.C. Previously she was worked at Meta where she advised the company on product privacy and at the Electronic Privacy Information Center (EPIC) where she managed the organization's international docket. She co-authored submissions in the landmark Schrems II case, has testified before the European Parliament on cross-border law enforcement data transfers, and has published widely on data protection issues.  

Comments
0
comment
No comments here
Why not start the discussion?